* [Buildroot] [PATCH v2] package/iptables: add init script
@ 2021-09-14 13:21 José Pekkarinen
2021-09-14 16:20 ` Baruch Siach
0 siblings, 1 reply; 7+ messages in thread
From: José Pekkarinen @ 2021-09-14 13:21 UTC (permalink / raw)
To: buildroot; +Cc: José Pekkarinen
This patch will add an init script that allows
to set a ruleset in /etc/iptables.conf to be loaded
on boot, or flushed on stop, as well as a saving
command to generate a new file.
Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
---
[v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++
package/iptables/iptables.mk | 6 ++++
2 files changed, 64 insertions(+)
create mode 100644 package/iptables/S41iptables
diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables
new file mode 100644
index 0000000000..93998b78de
--- /dev/null
+++ b/package/iptables/S41iptables
@@ -0,0 +1,58 @@
+#!/bin/sh
+
+DAEMON="iptables"
+
+IPTABLES_ARGS=""
+
+start() {
+ printf 'Starting %s: ' "$DAEMON"
+ iptables-restore < /etc/iptables.conf
+ status=$?
+ if [ "$status" -eq 0 ]; then
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+ return "$status"
+}
+
+stop() {
+ printf 'Stopping %s: ' "$DAEMON"
+ iptables -F
+ status=$?
+ if [ "$status" -eq 0 ]; then
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+ return "$status"
+}
+
+restart() {
+ stop
+ sleep 1
+ start
+}
+
+save() {
+ printf 'Saving %s: ' "$DAEMON"
+ iptables-save > /etc/iptables.conf
+ status=$?
+ if [ "$status" -eq 0 ]; then
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+ return "$status"
+}
+
+case "$1" in
+ start|stop|restart|save)
+ "$1";;
+ reload)
+ # Restart, since there is no true "reload" feature.
+ restart;;
+ *)
+ echo "Usage: $0 {start|stop|restart|reload}"
+ exit 1
+esac
diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
index dc01466607..1d3612dbf6 100644
--- a/package/iptables/iptables.mk
+++ b/package/iptables/iptables.mk
@@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
endef
+define IPTABLES_INSTALL_INIT_SYSV
+ $(INSTALL) -m 0755 -D package/iptables/S41iptables \
+ $(TARGET_DIR)/etc/init.d/S41iptables
+ touch $(TARGET_DIR)/etc/iptables.conf
+endef
+
$(eval $(autotools-package))
--
2.25.1
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script
2021-09-14 13:21 [Buildroot] [PATCH v2] package/iptables: add init script José Pekkarinen
@ 2021-09-14 16:20 ` Baruch Siach
2021-09-15 9:14 ` José Pekkarinen
0 siblings, 1 reply; 7+ messages in thread
From: Baruch Siach @ 2021-09-14 16:20 UTC (permalink / raw)
To: José Pekkarinen; +Cc: buildroot
Hi José,
On Tue, Sep 14 2021, José Pekkarinen wrote:
> This patch will add an init script that allows
> to set a ruleset in /etc/iptables.conf to be loaded
> on boot, or flushed on stop, as well as a saving
> command to generate a new file.
>
> Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
> ---
> [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
>
> package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++
> package/iptables/iptables.mk | 6 ++++
> 2 files changed, 64 insertions(+)
> create mode 100644 package/iptables/S41iptables
>
> diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables
> new file mode 100644
> index 0000000000..93998b78de
> --- /dev/null
> +++ b/package/iptables/S41iptables
> @@ -0,0 +1,58 @@
> +#!/bin/sh
> +
> +DAEMON="iptables"
> +
> +IPTABLES_ARGS=""
> +
> +start() {
> + printf 'Starting %s: ' "$DAEMON"
> + iptables-restore < /etc/iptables.conf
> + status=$?
> + if [ "$status" -eq 0 ]; then
> + echo "OK"
> + else
> + echo "FAIL"
> + fi
> + return "$status"
> +}
> +
> +stop() {
> + printf 'Stopping %s: ' "$DAEMON"
> + iptables -F
> + status=$?
> + if [ "$status" -eq 0 ]; then
> + echo "OK"
> + else
> + echo "FAIL"
> + fi
> + return "$status"
> +}
> +
> +restart() {
> + stop
> + sleep 1
> + start
> +}
> +
> +save() {
> + printf 'Saving %s: ' "$DAEMON"
> + iptables-save > /etc/iptables.conf
What about read-only rootfs?
baruch
> + status=$?
> + if [ "$status" -eq 0 ]; then
> + echo "OK"
> + else
> + echo "FAIL"
> + fi
> + return "$status"
> +}
> +
> +case "$1" in
> + start|stop|restart|save)
> + "$1";;
> + reload)
> + # Restart, since there is no true "reload" feature.
> + restart;;
> + *)
> + echo "Usage: $0 {start|stop|restart|reload}"
> + exit 1
> +esac
> diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
> index dc01466607..1d3612dbf6 100644
> --- a/package/iptables/iptables.mk
> +++ b/package/iptables/iptables.mk
> @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
> $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
> endef
>
> +define IPTABLES_INSTALL_INIT_SYSV
> + $(INSTALL) -m 0755 -D package/iptables/S41iptables \
> + $(TARGET_DIR)/etc/init.d/S41iptables
> + touch $(TARGET_DIR)/etc/iptables.conf
> +endef
> +
> $(eval $(autotools-package))
--
~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script
2021-09-14 16:20 ` Baruch Siach
@ 2021-09-15 9:14 ` José Pekkarinen
2021-09-15 10:05 ` Baruch Siach via buildroot
0 siblings, 1 reply; 7+ messages in thread
From: José Pekkarinen @ 2021-09-15 9:14 UTC (permalink / raw)
To: Baruch Siach; +Cc: buildroot
[-- Attachment #1.1: Type: text/plain, Size: 3364 bytes --]
On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote:
> Hi José,
>
> On Tue, Sep 14 2021, José Pekkarinen wrote:
> > This patch will add an init script that allows
> > to set a ruleset in /etc/iptables.conf to be loaded
> > on boot, or flushed on stop, as well as a saving
> > command to generate a new file.
> >
> > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
> > ---
> > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
> >
> > package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++
> > package/iptables/iptables.mk | 6 ++++
> > 2 files changed, 64 insertions(+)
> > create mode 100644 package/iptables/S41iptables
> >
> > diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables
> > new file mode 100644
> > index 0000000000..93998b78de
> > --- /dev/null
> > +++ b/package/iptables/S41iptables
> > @@ -0,0 +1,58 @@
> > +#!/bin/sh
> > +
> > +DAEMON="iptables"
> > +
> > +IPTABLES_ARGS=""
> > +
> > +start() {
> > + printf 'Starting %s: ' "$DAEMON"
> > + iptables-restore < /etc/iptables.conf
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > + return "$status"
> > +}
> > +
> > +stop() {
> > + printf 'Stopping %s: ' "$DAEMON"
> > + iptables -F
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > + return "$status"
> > +}
> > +
> > +restart() {
> > + stop
> > + sleep 1
> > + start
> > +}
> > +
> > +save() {
> > + printf 'Saving %s: ' "$DAEMON"
> > + iptables-save > /etc/iptables.conf
>
> What about read-only rootfs?
>
Very good point, will it work if we check the rootfs
whether is ro or rw, and execute on that behalf?
Thanks for the comments!
José.
> baruch
>
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > + return "$status"
> > +}
> > +
> > +case "$1" in
> > + start|stop|restart|save)
> > + "$1";;
> > + reload)
> > + # Restart, since there is no true "reload" feature.
> > + restart;;
> > + *)
> > + echo "Usage: $0 {start|stop|restart|reload}"
> > + exit 1
> > +esac
> > diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
> > index dc01466607..1d3612dbf6 100644
> > --- a/package/iptables/iptables.mk
> > +++ b/package/iptables/iptables.mk
> > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
> > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
> > endef
> >
> > +define IPTABLES_INSTALL_INIT_SYSV
> > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \
> > + $(TARGET_DIR)/etc/init.d/S41iptables
> > + touch $(TARGET_DIR)/etc/iptables.conf
> > +endef
> > +
> > $(eval $(autotools-package))
>
>
> --
> ~. .~ Tk Open
> Systems
> =}------------------------------------------------ooO--U--Ooo------------{=
> - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
>
--
José.
[-- Attachment #1.2: Type: text/html, Size: 5533 bytes --]
[-- Attachment #2: Type: text/plain, Size: 156 bytes --]
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script
2021-09-15 9:14 ` José Pekkarinen
@ 2021-09-15 10:05 ` Baruch Siach via buildroot
2021-09-15 11:41 ` José Pekkarinen
0 siblings, 1 reply; 7+ messages in thread
From: Baruch Siach via buildroot @ 2021-09-15 10:05 UTC (permalink / raw)
To: José Pekkarinen; +Cc: buildroot
Hi José,
On Wed, Sep 15 2021, José Pekkarinen wrote:
> On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote:
> On Tue, Sep 14 2021, José Pekkarinen wrote:
> > This patch will add an init script that allows
> > to set a ruleset in /etc/iptables.conf to be loaded
> > on boot, or flushed on stop, as well as a saving
> > command to generate a new file.
> >
> > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
> > ---
> > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
> >
> > package/iptables/S41iptables | 58 ++++++++++++++++++++++++++++++++++++
> > package/iptables/iptables.mk | 6 ++++
> > 2 files changed, 64 insertions(+)
> > create mode 100644 package/iptables/S41iptables
> >
> > diff --git a/package/iptables/S41iptables b/package/iptables/S41iptables
> > new file mode 100644
> > index 0000000000..93998b78de
> > --- /dev/null
> > +++ b/package/iptables/S41iptables
> > @@ -0,0 +1,58 @@
> > +#!/bin/sh
> > +
> > +DAEMON="iptables"
> > +
> > +IPTABLES_ARGS=""
> > +
> > +start() {
> > + printf 'Starting %s: ' "$DAEMON"
> > + iptables-restore < /etc/iptables.conf
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > + return "$status"
> > +}
> > +
> > +stop() {
> > + printf 'Stopping %s: ' "$DAEMON"
> > + iptables -F
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > + return "$status"
> > +}
> > +
> > +restart() {
> > + stop
> > + sleep 1
> > + start
> > +}
> > +
> > +save() {
> > + printf 'Saving %s: ' "$DAEMON"
> > + iptables-save > /etc/iptables.conf
>
> What about read-only rootfs?
>
> Very good point, will it work if we check the rootfs
> whether is ro or rw, and execute on that behalf?
I'm not sure that this script is a good idea to begin with for the
default installation. But if the maintainers think it is, the script
should skip the save operation for read-only filesystems. See how
package/urandom-scripts/S20urandom handles that.
baruch
>
> Thanks for the comments!
>
> José.
>
> baruch
>
> > + status=$?
> > + if [ "$status" -eq 0 ]; then
> > + echo "OK"
> > + else
> > + echo "FAIL"
> > + fi
> > + return "$status"
> > +}
> > +
> > +case "$1" in
> > + start|stop|restart|save)
> > + "$1";;
> > + reload)
> > + # Restart, since there is no true "reload" feature.
> > + restart;;
> > + *)
> > + echo "Usage: $0 {start|stop|restart|reload}"
> > + exit 1
> > +esac
> > diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
> > index dc01466607..1d3612dbf6 100644
> > --- a/package/iptables/iptables.mk
> > +++ b/package/iptables/iptables.mk
> > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
> > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
> > endef
> >
> > +define IPTABLES_INSTALL_INIT_SYSV
> > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \
> > + $(TARGET_DIR)/etc/init.d/S41iptables
> > + touch $(TARGET_DIR)/etc/iptables.conf
> > +endef
> > +
> > $(eval $(autotools-package))
--
~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script
2021-09-15 10:05 ` Baruch Siach via buildroot
@ 2021-09-15 11:41 ` José Pekkarinen
2021-09-15 12:11 ` Bartosz Biłas
0 siblings, 1 reply; 7+ messages in thread
From: José Pekkarinen @ 2021-09-15 11:41 UTC (permalink / raw)
To: Baruch Siach; +Cc: buildroot
[-- Attachment #1.1: Type: text/plain, Size: 4295 bytes --]
On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach <baruch@tkos.co.il> wrote:
> Hi José,
>
> On Wed, Sep 15 2021, José Pekkarinen wrote:
> > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote:
> > On Tue, Sep 14 2021, José Pekkarinen wrote:
> > > This patch will add an init script that allows
> > > to set a ruleset in /etc/iptables.conf to be loaded
> > > on boot, or flushed on stop, as well as a saving
> > > command to generate a new file.
> > >
> > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
> > > ---
> > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
> > >
> > > package/iptables/S41iptables | 58
> ++++++++++++++++++++++++++++++++++++
> > > package/iptables/iptables.mk | 6 ++++
> > > 2 files changed, 64 insertions(+)
> > > create mode 100644 package/iptables/S41iptables
> > >
> > > diff --git a/package/iptables/S41iptables
> b/package/iptables/S41iptables
> > > new file mode 100644
> > > index 0000000000..93998b78de
> > > --- /dev/null
> > > +++ b/package/iptables/S41iptables
> > > @@ -0,0 +1,58 @@
> > > +#!/bin/sh
> > > +
> > > +DAEMON="iptables"
> > > +
> > > +IPTABLES_ARGS=""
> > > +
> > > +start() {
> > > + printf 'Starting %s: ' "$DAEMON"
> > > + iptables-restore < /etc/iptables.conf
> > > + status=$?
> > > + if [ "$status" -eq 0 ]; then
> > > + echo "OK"
> > > + else
> > > + echo "FAIL"
> > > + fi
> > > + return "$status"
> > > +}
> > > +
> > > +stop() {
> > > + printf 'Stopping %s: ' "$DAEMON"
> > > + iptables -F
> > > + status=$?
> > > + if [ "$status" -eq 0 ]; then
> > > + echo "OK"
> > > + else
> > > + echo "FAIL"
> > > + fi
> > > + return "$status"
> > > +}
> > > +
> > > +restart() {
> > > + stop
> > > + sleep 1
> > > + start
> > > +}
> > > +
> > > +save() {
> > > + printf 'Saving %s: ' "$DAEMON"
> > > + iptables-save > /etc/iptables.conf
> >
> > What about read-only rootfs?
> >
> > Very good point, will it work if we check the rootfs
> > whether is ro or rw, and execute on that behalf?
>
> I'm not sure that this script is a good idea to begin with for the
> default installation. But if the maintainers think it is, the script
> should skip the save operation for read-only filesystems. See how
> package/urandom-scripts/S20urandom handles that.
>
Thanks again, I'm testing a patch to solve the ro rootfs
issue. Is there any better approach to have a firewall ruleset
by default in the final image?
Best regards.
José.
>
> baruch
>
> >
> > Thanks for the comments!
> >
> > José.
> >
> > baruch
> >
> > > + status=$?
> > > + if [ "$status" -eq 0 ]; then
> > > + echo "OK"
> > > + else
> > > + echo "FAIL"
> > > + fi
> > > + return "$status"
> > > +}
> > > +
> > > +case "$1" in
> > > + start|stop|restart|save)
> > > + "$1";;
> > > + reload)
> > > + # Restart, since there is no true "reload" feature.
> > > + restart;;
> > > + *)
> > > + echo "Usage: $0 {start|stop|restart|reload}"
> > > + exit 1
> > > +esac
> > > diff --git a/package/iptables/iptables.mk b/package/iptables/
> iptables.mk
> > > index dc01466607..1d3612dbf6 100644
> > > --- a/package/iptables/iptables.mk
> > > +++ b/package/iptables/iptables.mk
> > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
> > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
> > > endef
> > >
> > > +define IPTABLES_INSTALL_INIT_SYSV
> > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \
> > > + $(TARGET_DIR)/etc/init.d/S41iptables
> > > + touch $(TARGET_DIR)/etc/iptables.conf
> > > +endef
> > > +
> > > $(eval $(autotools-package))
>
> --
> ~. .~ Tk Open
> Systems
> =}------------------------------------------------ooO--U--Ooo------------{=
> - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
>
--
José.
[-- Attachment #1.2: Type: text/html, Size: 6995 bytes --]
[-- Attachment #2: Type: text/plain, Size: 156 bytes --]
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script
2021-09-15 11:41 ` José Pekkarinen
@ 2021-09-15 12:11 ` Bartosz Biłas
2021-09-15 12:20 ` José Pekkarinen
0 siblings, 1 reply; 7+ messages in thread
From: Bartosz Biłas @ 2021-09-15 12:11 UTC (permalink / raw)
To: José Pekkarinen; +Cc: buildroot
[-- Attachment #1.1: Type: text/plain, Size: 5563 bytes --]
Hello José,
On 9/15/21 1:41 PM, José Pekkarinen wrote:
>
>
> On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach <baruch@tkos.co.il
> <mailto:baruch@tkos.co.il>> wrote:
>
> Hi José,
>
> On Wed, Sep 15 2021, José Pekkarinen wrote:
> > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il
> <mailto:baruch@tkos.co.il>> wrote:
> > On Tue, Sep 14 2021, José Pekkarinen wrote:
> > > This patch will add an init script that allows
> > > to set a ruleset in /etc/iptables.conf to be loaded
> > > on boot, or flushed on stop, as well as a saving
> > > command to generate a new file.
> > >
> > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com
> <mailto:jose.pekkarinen@unikie.com>>
> > > ---
> > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
> > >
> > > package/iptables/S41iptables | 58
> ++++++++++++++++++++++++++++++++++++
> > > package/iptables/iptables.mk <http://iptables.mk> | 6 ++++
> > > 2 files changed, 64 insertions(+)
> > > create mode 100644 package/iptables/S41iptables
> > >
> > > diff --git a/package/iptables/S41iptables
> b/package/iptables/S41iptables
> > > new file mode 100644
> > > index 0000000000..93998b78de
> > > --- /dev/null
> > > +++ b/package/iptables/S41iptables
> > > @@ -0,0 +1,58 @@
> > > +#!/bin/sh
> > > +
> > > +DAEMON="iptables"
> > > +
> > > +IPTABLES_ARGS=""
> > > +
> > > +start() {
> > > + printf 'Starting %s: ' "$DAEMON"
> > > + iptables-restore < /etc/iptables.conf
> > > + status=$?
> > > + if [ "$status" -eq 0 ]; then
> > > + echo "OK"
> > > + else
> > > + echo "FAIL"
> > > + fi
> > > + return "$status"
> > > +}
> > > +
> > > +stop() {
> > > + printf 'Stopping %s: ' "$DAEMON"
> > > + iptables -F
> > > + status=$?
> > > + if [ "$status" -eq 0 ]; then
> > > + echo "OK"
> > > + else
> > > + echo "FAIL"
> > > + fi
> > > + return "$status"
> > > +}
> > > +
> > > +restart() {
> > > + stop
> > > + sleep 1
> > > + start
> > > +}
> > > +
> > > +save() {
> > > + printf 'Saving %s: ' "$DAEMON"
> > > + iptables-save > /etc/iptables.conf
> >
> > What about read-only rootfs?
> >
> > Very good point, will it work if we check the rootfs
> > whether is ro or rw, and execute on that behalf?
>
> I'm not sure that this script is a good idea to begin with for the
> default installation. But if the maintainers think it is, the script
> should skip the save operation for read-only filesystems. See how
> package/urandom-scripts/S20urandom handles that.
>
>
> Thanks again, I'm testing a patch to solve the ro rootfs
> issue. Is there any better approach to have a firewall ruleset
> by default in the final image?
Did you try to use post-build script to copy this file into your image?
Best
Bartek
>
> Best regards.
>
> José.
>
>
> baruch
>
> >
> > Thanks for the comments!
> >
> > José.
> >
> > baruch
> >
> > > + status=$?
> > > + if [ "$status" -eq 0 ]; then
> > > + echo "OK"
> > > + else
> > > + echo "FAIL"
> > > + fi
> > > + return "$status"
> > > +}
> > > +
> > > +case "$1" in
> > > + start|stop|restart|save)
> > > + "$1";;
> > > + reload)
> > > + # Restart, since there is no true "reload" feature.
> > > + restart;;
> > > + *)
> > > + echo "Usage: $0 {start|stop|restart|reload}"
> > > + exit 1
> > > +esac
> > > diff --git a/package/iptables/iptables.mk
> <http://iptables.mk> b/package/iptables/iptables.mk
> <http://iptables.mk>
> > > index dc01466607..1d3612dbf6 100644
> > > --- a/package/iptables/iptables.mk <http://iptables.mk>
> > > +++ b/package/iptables/iptables.mk <http://iptables.mk>
> > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
> > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
> > > endef
> > >
> > > +define IPTABLES_INSTALL_INIT_SYSV
> > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \
> > > + $(TARGET_DIR)/etc/init.d/S41iptables
> > > + touch $(TARGET_DIR)/etc/iptables.conf
> > > +endef
> > > +
> > > $(eval $(autotools-package))
>
> --
> ~. .~ Tk
> Open Systems
> =}------------------------------------------------ooO--U--Ooo------------{=
> - baruch@tkos.co.il <mailto:baruch@tkos.co.il> - tel:
> +972.52.368.4656, http://www.tkos.co.il <http://www.tkos.co.il> -
>
>
>
> --
>
> José.
>
>
> _______________________________________________
> buildroot mailing list
> buildroot@lists.buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
[-- Attachment #1.2: Type: text/html, Size: 10577 bytes --]
[-- Attachment #2: Type: text/plain, Size: 156 bytes --]
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2] package/iptables: add init script
2021-09-15 12:11 ` Bartosz Biłas
@ 2021-09-15 12:20 ` José Pekkarinen
0 siblings, 0 replies; 7+ messages in thread
From: José Pekkarinen @ 2021-09-15 12:20 UTC (permalink / raw)
To: Bartosz Biłas; +Cc: buildroot
[-- Attachment #1.1: Type: text/plain, Size: 5201 bytes --]
On Wed, Sep 15, 2021 at 3:11 PM Bartosz Biłas <b.bilas@grinn-global.com>
wrote:
> Hello José,
> On 9/15/21 1:41 PM, José Pekkarinen wrote:
>
>
>
> On Wed, Sep 15, 2021 at 1:09 PM Baruch Siach <baruch@tkos.co.il> wrote:
>
>> Hi José,
>>
>> On Wed, Sep 15 2021, José Pekkarinen wrote:
>> > On Tue, Sep 14, 2021 at 7:22 PM Baruch Siach <baruch@tkos.co.il> wrote:
>> > On Tue, Sep 14 2021, José Pekkarinen wrote:
>> > > This patch will add an init script that allows
>> > > to set a ruleset in /etc/iptables.conf to be loaded
>> > > on boot, or flushed on stop, as well as a saving
>> > > command to generate a new file.
>> > >
>> > > Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
>> > > ---
>> > > [v1 -> v2] s/touch $(DESTDIR)/touch $(TARGET_DIR)/
>> > >
>> > > package/iptables/S41iptables | 58
>> ++++++++++++++++++++++++++++++++++++
>> > > package/iptables/iptables.mk | 6 ++++
>> > > 2 files changed, 64 insertions(+)
>> > > create mode 100644 package/iptables/S41iptables
>> > >
>> > > diff --git a/package/iptables/S41iptables
>> b/package/iptables/S41iptables
>> > > new file mode 100644
>> > > index 0000000000..93998b78de
>> > > --- /dev/null
>> > > +++ b/package/iptables/S41iptables
>> > > @@ -0,0 +1,58 @@
>> > > +#!/bin/sh
>> > > +
>> > > +DAEMON="iptables"
>> > > +
>> > > +IPTABLES_ARGS=""
>> > > +
>> > > +start() {
>> > > + printf 'Starting %s: ' "$DAEMON"
>> > > + iptables-restore < /etc/iptables.conf
>> > > + status=$?
>> > > + if [ "$status" -eq 0 ]; then
>> > > + echo "OK"
>> > > + else
>> > > + echo "FAIL"
>> > > + fi
>> > > + return "$status"
>> > > +}
>> > > +
>> > > +stop() {
>> > > + printf 'Stopping %s: ' "$DAEMON"
>> > > + iptables -F
>> > > + status=$?
>> > > + if [ "$status" -eq 0 ]; then
>> > > + echo "OK"
>> > > + else
>> > > + echo "FAIL"
>> > > + fi
>> > > + return "$status"
>> > > +}
>> > > +
>> > > +restart() {
>> > > + stop
>> > > + sleep 1
>> > > + start
>> > > +}
>> > > +
>> > > +save() {
>> > > + printf 'Saving %s: ' "$DAEMON"
>> > > + iptables-save > /etc/iptables.conf
>> >
>> > What about read-only rootfs?
>> >
>> > Very good point, will it work if we check the rootfs
>> > whether is ro or rw, and execute on that behalf?
>>
>> I'm not sure that this script is a good idea to begin with for the
>> default installation. But if the maintainers think it is, the script
>> should skip the save operation for read-only filesystems. See how
>> package/urandom-scripts/S20urandom handles that.
>>
>
> Thanks again, I'm testing a patch to solve the ro rootfs
> issue. Is there any better approach to have a firewall ruleset
> by default in the final image?
>
> Did you try to use post-build script to copy this file into your image?
>
Hi,
I'm using the overlay to populate the final file,
but iptables doesn't look for it itself, it requires
some external mechanism to load the rules. That
is why I proposed this init script, to have a sort
of default via from buildroot.
Best regards.
José.
> Best
> Bartek
>
>
> Best regards.
>
> José.
>
>
>>
>> baruch
>>
>> >
>> > Thanks for the comments!
>> >
>> > José.
>> >
>> > baruch
>> >
>> > > + status=$?
>> > > + if [ "$status" -eq 0 ]; then
>> > > + echo "OK"
>> > > + else
>> > > + echo "FAIL"
>> > > + fi
>> > > + return "$status"
>> > > +}
>> > > +
>> > > +case "$1" in
>> > > + start|stop|restart|save)
>> > > + "$1";;
>> > > + reload)
>> > > + # Restart, since there is no true "reload" feature.
>> > > + restart;;
>> > > + *)
>> > > + echo "Usage: $0 {start|stop|restart|reload}"
>> > > + exit 1
>> > > +esac
>> > > diff --git a/package/iptables/iptables.mk b/package/iptables/
>> iptables.mk
>> > > index dc01466607..1d3612dbf6 100644
>> > > --- a/package/iptables/iptables.mk
>> > > +++ b/package/iptables/iptables.mk
>> > > @@ -57,4 +57,10 @@ define IPTABLES_LINUX_CONFIG_FIXUPS
>> > > $(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
>> > > endef
>> > >
>> > > +define IPTABLES_INSTALL_INIT_SYSV
>> > > + $(INSTALL) -m 0755 -D package/iptables/S41iptables \
>> > > + $(TARGET_DIR)/etc/init.d/S41iptables
>> > > + touch $(TARGET_DIR)/etc/iptables.conf
>> > > +endef
>> > > +
>> > > $(eval $(autotools-package))
>>
>> --
>> ~. .~ Tk Open
>> Systems
>>
>> =}------------------------------------------------ooO--U--Ooo------------{=
>> - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
>>
>
>
> --
>
> José.
>
>
> _______________________________________________
> buildroot mailing listbuildroot@lists.buildroot.orghttps://lists.buildroot.org/mailman/listinfo/buildroot
>
> --
>
>
--
José.
[-- Attachment #1.2: Type: text/html, Size: 11129 bytes --]
[-- Attachment #2: Type: text/plain, Size: 156 bytes --]
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-09-15 12:20 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-14 13:21 [Buildroot] [PATCH v2] package/iptables: add init script José Pekkarinen
2021-09-14 16:20 ` Baruch Siach
2021-09-15 9:14 ` José Pekkarinen
2021-09-15 10:05 ` Baruch Siach via buildroot
2021-09-15 11:41 ` José Pekkarinen
2021-09-15 12:11 ` Bartosz Biłas
2021-09-15 12:20 ` José Pekkarinen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.